Tools Help Keep Bugs Out From The Beginning - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
6/3/2005
04:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tools Help Keep Bugs Out From The Beginning

Vendors put more emphasis on catching software vulnerabilities during development

Troubleshooting security problems in software that runs the business is a high priority for IT staffs. But there's a growing recognition that catching vulnerabilities during development should be an even higher one.

This week at its TechEd Conference 2005 in Orlando, Fla., Microsoft will demonstrate a code scanner that can identify a security problem, lead a developer to the line of source code that contains it, and even help fix it. SPI Dynamics Inc.'s DevInspect and SecureObjects provide the capabilities. The .Net security tools are being integrated with Microsoft's Visual Studio 2005, expected to be available late this year.

Such tools are becoming more common in the Microsoft and Java/C++ development environments. "Traditionally there's been some looking at the code base, but when you start looking at 10 to 20 million lines for vulnerabilities, that's a challenge," says Howard Schmidt, former special adviser on cyberspace security to the White House and one-time chief security officer for Microsoft. Automated tools can look more methodically and tirelessly than the human eye, Schmidt says.

One source of such technology is traditional software-testing tool suppliers. Mercury Interactive Corp., for example, has licensed SPI Dynamics' code scanner and fixer and offers it with five of its test products.

Even vendors outside the development arena are getting into the act. This week, RSA Security Inc. will make it simpler for developers to add security services to applications without deep knowledge of encryption or digital certificates. The RSA BSafe Data Security Manager provides developers with a drop-down menu of security mechanisms to protect sensitive data. BSafe adds the protection automatically out of view of the programmer rather than through additional laborious programming, says Chris Parkerson, senior product manager.

But startups that have made security a specialty are entering the scene. In addition to SPI Dynamics, there's Coverity Inc., an outgrowth of research by associate professor Dawson Engler at Stanford University's Computer Science Lab. Engler also is Coverity's chief scientist.


Poor data-input validation causes most security gaps, SPI’s Sima says.

Poor data-input validation causes most security gaps, SPI's Sima says.

Photo by AP
With more software being developed for use on the Web, it's critical for developers to understand when they're creating openings for intruders. Engler's research illustrates that many developers assume data inputs from users would be just as they proscribe, leaving an opportunity for intruders to insert JavaScript or HTML code that a server would run as it tried to read the "user" input.

About 80% of existing security exposures, such as buffer overflows or SQL injection, in which SQL commands seize control of a database and are entered instead of requested user data, can be attributed to poor data-input validation, says Caleb Sima, SPI Dynamics' founder and chief technology officer.

Programming efficiency also is becoming more important as companies squeeze IT costs. "Once a security issue shows up in production, it's like putting the software through the development cycle twice. It has to go back to development" to be fixed, says Edward Liebig, principal IT security architect with Computer Sciences Corp. Liebig is former director of IT security at Manulife USA Annuities, now part of John Hancock Financial Services Inc., where he used WebInspect, a code-scanning tool from SPI Dynamics, to review Web apps. He's about to use DevInspect and SecureObjects as part of a CSC development project for a large energy-industry client.

It's important when automatically looking for security holes to not generate a lot of false positives, or conditions that theoretically might leave openings but don't in practice, Liebig says. The best tools, he says, highlight "real, exploitable conditions."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll